- Issue created by @duivw
- e0ipso Can Picafort
If you don't want these fields to be publicly accessible to anonymous users, have you considered adding field access rules?
We do perform access checks, however this change would further guarantee that no field is inadvertently exposed to the API, even if multiple people with differences in experience work on the project and don't keep in mind that fields added to nodes will be added to the API as well. This change would also make it so that if in a few years time new fields are added to nodes they aren't automatically exposed on the API which I believe to be a good thing.
This change wouldn't necessarily be useful for an entirely headless Drupal application, but in our use case we are providing an API together with the regular Drupal frontend, and while users may see a body field in the frontend, for reasons of response time we don't want to expose it in the API. The same may be said for new fields added later down the line.- 🇯🇵Japan ptmkenny
Please add an MR instead of a patch. Drupal.org CI infrastructure only runs the module's tests on MRs, not patches.